Four steps to help evaluate a cloud computing provider
FINANCIAL INSTITUTIONS INSIGHTS |
While the banking industry has been relatively slow to embrace cloud computing, experts say the industry's need to drive down IT costs may finally prompt more institutions to consider the move. Despite potential benefits to the bottom line, bank executives need to understand that the cloud computing option is not without risk. Bank leaders still need to be highly vigilant about IT risk management, particularly since data-rich cloud sites are becoming a much more attractive target for global hackers.
According to a recent survey by cloud provider Netskope, up to 15 percent of business cloud users have had their credentials compromised through sub-par password practices, and 8 percent of corporate cloud storage files were found to be in violation of data leak prevention policies.1 Additionally, hackers successfully exploited a "Heartbleed" vulnerability in Open SSL encryption software used by a large number of companies, including Community Health Systems, Inc., which reported that 4.5 million patient records had been stolen last year.2
Is your bank considering the cloud as a processing or storage location for business-critical data? If so, remember that you are still responsible for assessing, supervising and enforcing provider performance, managing provider risks and maintaining reliable data access security. To help achieve these goals, consider the following steps:
Do a cost-benefit analysis. Most banks have a surprisingly high amount of data, images, processes and files that are candidates for migration to the cloud. But a study by Vision Solutions reported that 60 percent of IT leaders did not conduct a migration cost analysis before choosing to move ahead with a cloud computing initiative.3 For that reason, it's smart to do an assessment that includes potential savings in hardware, software and backup investments, expenses for possible system downtime and IT staff time during a migration, and the ongoing cost of network administration support. Remember, an ill-considered cloud migration can result in extended system downtime, business interruptions and unhappy customers.
Choose the hosting environment that best meets your needs.In general terms, the cloud is a virtual computing platform, in which a bank's actual data may be stored or processed in connected servers anywhere in the world. On the other hand, a cloud subset known as a hosted environment still works as an offsite computing resource, but with data stored in a defined location. In a hosted environment, a bank has direct access to a shared or dedicated server, making it easier for IT staff to align security protocols with that system. In a classic cloud environment, providers host data on multiple connected servers. While this does enhance reliability, it can make it harder for a bank's IT team to choose cybersecurity controls that compensate for data spread across multiple servers.
Classify and segregate your data. This begins with a basic data review process, separating publicly available material (such as staff lists, locations, marketing materials or other nonproprietary items) and nonpublic personal information (such as customer names, addresses, account numbers or financial information). If the bank opts to migrate nonproprietary public data to a shared server or multiple connected servers, that choice poses little risk. While the best option for storing customer-sensitive information may be on a single in-house or dedicated hosting server, this data can also reside in a shared cloud environment that has strong encryption features.
Find a provider with financial services expertise. While there is a wide variety of cloud and hosted service providers, it's a good idea to limit the candidate pool to firms with a demonstrated track record in financial services. That's because regulatory agencies have very specific risk management expectations regarding outsourced data services. For example, the Federal Financial Institution Examination Council (FFIEC) issued guidance in 2012 with regard to cloud computing, noting that the agency considered it as "another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing."4 Key points in FFIEC's guidance statement include:
- Vendor management. In this area, the agency notes that banks may need to employ additional controls if a cloud service provider is not familiar with legal and regulatory requirements in the financial industry. In addition, FFIEC says, "the use of such a servicer may present risks that the institution is unable or unwilling to mitigate."5
- Audit. According to FFIEC, any bank wishing to use cloud services must evaluate the adequacy of the provider's internal controls. As part of that process, the bank's IT audit policies and practices must also be reviewed to ensure sound oversight of outsourced cloud computing.
- Information security. Anytime all or part of a bank's data storage or processing is outsourced, the information security process becomes more complex. In addition to monitoring any security-related threats on both internal and cloud-based IT systems, FFIEC guidance says banks should also develop clear incident response plans, which include forensic strategies for evidence collection and investigation. Due to the highly-sensitive nature of nonpublic personal information, the agency also says banks should verify that a given cloud provider can cleanly remove such data at the end of a contract relationship. In high-risk situations, such as when unencrypted customer data is stored in the cloud, a bank may need to employ continuous monitoring to have assurance that the cloud provider has adequate cybersecurity controls.
- Business continuity. Bank executives know that operational continuity is critical to maintaining customer trust and confidence. This principle is no less true when applied to outsourced cloud data storage or processes. In its guidance, FFIEC says banks are responsible for determining if the cloud services provider and network carriers have sufficient resources and plans to ensure operational continuity and disaster recovery.
Without question, the cloud can be an effective way for banks to enhance their existing IT resources. By following these steps, your bank can make more informed choices on provider selection, data evaluation and migration planning.